IETF Logo Mail Archive

Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS

"Reinaldo Penno (repenno)" <repenno@cisco.com> Mon, 16 July 2012 22:41 UTC

Return-Path: <repenno@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9796111E8340 for <behave@ietfa.amsl.com>; Mon, 16 Jul 2012 15:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OKFdOst+V7Q for <behave@ietfa.amsl.com>; Mon, 16 Jul 2012 15:41:23 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id B949A11E833D for <behave@ietf.org>; Mon, 16 Jul 2012 15:41:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=repenno@cisco.com; l=3111; q=dns/txt; s=iport; t=1342478529; x=1343688129; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=ddVk3RiJdLmerO750aN+T2rqoSm72o90vU/iw4TTXDU=; b=WkCrKqgEnDl+/hQm/icGaSkJvpd+uGOL/TXCLdNcUIS6FC6HlAX+Xdlg Lw5QQPfA7CgaD/bgojP1PxNmpU08V1G3VpfsMHcdKI8/o0/QXh5mMbH48 2TXFeBs5plsb3Y68CdIIgxTDV2O2MT6YYgpu6jjwl/Yln57tZSxcW/331 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EADeXBFCtJV2d/2dsb2JhbABFuVGBB4IiAQQBAQEPASc0CxIBCA4oNwslAQEEAQ0FIodrC5wboB6LQIZHA5U7gRKNDoFmgl8
X-IronPort-AV: E=Sophos;i="4.77,597,1336348800"; d="scan'208";a="102404408"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-5.cisco.com with ESMTP; 16 Jul 2012 22:42:09 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q6GMg97e006759 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <behave@ietf.org>; Mon, 16 Jul 2012 22:42:09 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.177]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0298.004; Mon, 16 Jul 2012 17:42:07 -0500
From: "Reinaldo Penno (repenno)" <repenno@cisco.com>
To: Tassos Chatzithomaoglou <achatz@forthnetgroup.gr>, "Dan Wing (dwing)" <dwing@cisco.com>
Thread-Topic: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS
Thread-Index: Ac1jfDSEsfkpVZMvSuucIiFo9SIW+wATtQ8A//+Q2YA=
Date: Mon, 16 Jul 2012 22:42:07 +0000
Message-ID: <CC29E4F5.7E79%repenno@cisco.com>
In-Reply-To: <5004938A.5050306@forthnetgroup.gr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.13.0.110805
x-originating-ip: [10.21.68.77]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19042.004
x-tm-as-result: No--44.033400-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E73782BF9D75D34082B30491C981BEBD@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 22:41:24 -0000

I see the question a bit differently.

I believe we should provide some level of standardization across these
protocols. For example, binding type representation, port ranges,  mapping
count, etc should be represented by the same data model in all protocols.
We proposed that in Taipei but at that time maybe the problem wasn't ripe.

Going on step further, in case of NAT logging we should agree on basic
information set irrespective if somebody would use Radius, IPFix or any
other protocol.

Thanks,

Reinaldo  

On 7/16/12 3:19 PM, "Tassos Chatzithomaoglou" <achatz@forthnetgroup.gr>
wrote:

>Imho, every protocol is destined to cover specific needs.
>
>For auditing reasons (which is my primary concern curtently) i would
>prefer to use RADIUS
>(or DIAMETER or anything AAA related), as long as the frequency of acct
>records remains 
>within limits. Passing information to subscriber sessions could also be
>done through 
>RADIUS push.
>SYSLOG is good for fast one way communication and maybe it could be used
>for alerting.
>SNMP (notifications) could also be used for alerting, but its usage for
>on-demand or 
>historical detailed statistics gatherings should be preferred.
>IPFIX could be used for near realtime logging and of course for
>statistics.
>
>Generally i agree with your concerns, but instead of "choosing" only one
>protocol, i would 
>prefer to have the scope of each protocol clearly/strictly defined, so
>depending on my 
>needs i knew what to deploy.
>For me, it would be an ugly joke if i had to deploy SNMP or IPFIX in
>order to have the 
>historical correlation of username & IP-related stuff.
>
>--
>Tassos
>
>Dan Wing wrote on 16/7/2012 20:55:
>> As an individual, I have been worried about the possibility of disparate
>> data models for NATs.  We currently have four ways to report information
>> about a NAT or other address-sharing device,
>>
>> SYSLOG, 
>>http://tools.ietf.org/html/draft-zhou-behave-syslog-nat-logging-00
>> IPFIX, http://tools.ietf.org/html/draft-sivakumar-behave-nat-logging-05
>> SNMP, http://tools.ietf.org/html/draft-perreault-sunset4-cgn-mib
>> RADIUS,
>> 
>>http://tools.ietf.org/html/draft-cheng-behave-cgn-cfg-radius-ext-03#secti
>>on-
>> 4.2
>>
>> My concern is that operators may find it necessary to deploy all four
>> protocols (IPFIX, SYSLOG, SNMP, and RADIUS) to get their needed logging
>>and.
>> This seems undesirable.  Imagine, for example, that only one of those
>> protocols supported pseudo-random port assignment but only one other
>> protocol provided alarms for when a subscriber consumed all their ports
>>(and
>> thus might open a support case with the operator that "the Internet is
>> down").
>>
>> Are my concerns misplaced?
>>
>> -d
>>
>>
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
>>
>
>
>_______________________________________________
>Behave mailing list
>Behave@ietf.org
>https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email